VPC endpoint enables user to connect with AWS services that are outside the VPC through a private link. VPC endpoints uses AWS Private Links in the backend with which users will be able to connect to AWS services without using public IP’s. Thus, the traffic will not leave the Amazon network. AWS Private Links are highly available, redundant and scalable technology.
What if without endpoint?
Data transfer will be over the internet, it takes much time to move the data as of bandwidth, and cost will be charged according to puts and gets.
There are two types of VPC endpoints,
In this article we will see how to create Gateway Endpoint.
Interface Endpoints are Elastic Network Interfaces (ENI) with private IP addresses. ENI will act as the entry point for the traffic that is destined to a particular service. Services such as Amazon CloudWatch Logs, Amazon SNS, etc. are supported.
Gateway endpoints is a gateway targeted for a specific route in the route table. They can be used to route traffic to a destined AWS service. As of now, Amazon S3 and DynamoDB are the only services that are supported by gateway endpoints.
Below are the steps to create a gateway endpoint:
Step1: Go to vpc section>select Endpoint>create New End point
Step2: Select service>Gateways>S3
Step3: Choose your vpc and followed by subnet then click on create end point
Configuration of Route Tables
When the Gateway Endpoint is created to access the service, a route is automatically added to the route tables with a destination that has the prefix ID of the service and the target with the endpoint ID.
Step4: Now check Route table, you can notice a new route table association
When you already have an existing route to the internet, traffic to other AWS services uses the same internet gateway. When you create an endpoint, a destination will be added in the route tables with a destination pointing to the service which we are using for the endpoint. Now all the traffic that are destined to the service (for which endpoint is created) will go through the endpoint, whereas rest of the internet traffic and traffic to other AWS services still uses the internet gateway.
Limitations of VPC Endpoints
Below are some of the limitations of VPC Endpoints:
- Interface Endpoints currently supports only TCP traffic.
- Endpoints currently supports only IPv4 traffic.
- We cannot tag Endpoints, like the way we do with EC2 instance.
- Endpoints are only supported within the same region. You cannot use endpoints to connect a service from one region to a VPC in a different region.
- An endpoint once created cannot be transferred from one VPC to another or to a different service.
VPC endpoints are very useful especially when you want to connect to an AWS service from within your VPC. Since these endpoints’ devices are virtual it is very easy to manage.